ALAS2-2022-1734 --- aws-kinesis-agentID: oval:org.secpod.oval:def:1700801 | Date: (C)2022-02-01 (M)2023-11-13 |
Class: PATCH | Family: unix |
Apache Log4j2 versions 2.0-beta7 through 2.17.0 are vulnerable to a remote code execution attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2
Product: |
aws-kinesis-agent |